Description: 

CloudFront speeds up distribution of your static and dynamic web content, such as .html, .css, .php, image, and media files. When users request your content, CloudFront delivers it through a worldwide network of edge locations that provide low latency and high performance. 


Rationale: 

By enabling CloudFront logging, configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. Field-Level Encryption on Amazon CloudFront.


Remediation:

Using CloudFront Geo Restriction


When a user requests your content, CloudFront typically serves the requested content regardless of where the user is located. If you need to prevent users in specific countries from accessing your content, you can use the CloudFront geo restriction feature to do one of the following:

  •     Allow your users to access your content only if they're in one of the countries on a whitelist of approved countries.
  •     Prevent your users from accessing your content if they're in one of the countries on a blacklist of banned countries.


To add geo restriction to your CloudFront web distribution (console)

  1. Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/
  2. Select the distribution that you want to update.
  3. In the Distribution Settings pane, choose the Restrictions tab.
  4. Choose Edit.
  5. Enter the applicable values. For more information, see Restrictions.
  6. Choose Yes, Edit.



Resources: 

https://docs.aws.amazon.com/cloudfront/?id=docs_gateway

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html